Hi! I have an aplication level hex dump that I imported into wireshark successfully with text2pcap. I have what is sent and what is received, and I want to reflect that conversation in wireshark. So I created two hex dumps, one for reads and one for writes, and converted them to two pcap files, reversing the fake TCP port numbers. But the problem I have is that text2pcap inserts 1.1.1.1 and 2.2.2.2 as origin and destination IP addresses, and I found no way to change this. I would need to reverse the IP addresses in the read hex dump import, or just use the same IP address for both origin and dest, as if the server and client are in the same machine. Is there a way to change the fake ip addresses in text2pcap? Thanks ! Best, Alf asked 04 Oct '12, 06:55  arpena |
2 Answers:
You said "application-level dump", so I assume you used -u or -T to add a fake UDP orTCP header. Unfortunately, text2pcap doesn't have an option to control the assignment of fake IP addresses (and I checked the code - they're hardwired to 10.1.1.1 and 10.2.2.2), so there isn't a way to change the IP addresses it assigns. Bittwist might let you process the packets and rewrite the IP headers to have the same source and destination addresses. answered 08 Oct '12, 15:24  Guy Harris ♦♦ |
text2pcap will add a dummy IP header (10.1.1.1 and 10.2.2.2) in these circumstances:
So, without information how you called text2pcap, it's hard to say which of the above conditions apply. Regards answered 08 Oct '12, 12:06  Kurt Knochner ♦ edited 08 Oct '12, 12:06 |
Excellent recomendation. I was able to change the read-pcap file with this command: ./bittwiste -I database-read.pcap -O database-read-mod.pcap -T ip -s 2.2.2.2 -d 1.1.1.1